Some antivirus products are configured with an auto-protect feature, which allows files to be scanned as they are accessed to prevent a virus from spreading and infecting. Some auto-protect features scan and repair compressed files without having to expand the file first. The auto-protect feature scans files sent from the Internet, removable disks, or e-mail attachments and looks for viruses, Trojan horse programs, and other malware. A clean file cache can be maintained and used by the auto-protect feature to avoid unnecessarily re-scanning a file that has not been modified since last being scanned and determined clean.
In typical operation, a target file is accessed for the first time during a user session. Prior to allowing that access to complete, the auto-protect feature automatically scans the file for malware. If malware is identified, the corresponding security application will take remedial action (e.g., cleaning, deleting, or quarantining the suspect code). Once the target file is determined to be clean (assuming it can be cleaned or was simply not infected), a corresponding entry is made in the clean file cache that identifies the file and its corresponding time stamp (or other modification indicator). If the target file is subsequently accessed, the auto-protect feature accesses the clean file cache to confirm whether the target file is present and remains unmodified since last determining its clean status. If so, then no scanning is performed. Otherwise, the target file can be re-scanned for various security risks such as those previously mentioned.
Currently, the clean file cache feature is not persisted to disk and used across boots. This is because there are no mechanisms to ensure that the file system has not been modified by, for example, dual-booting into an infected and/or unprotected operating system environment where files listed in the clean file cache may have become infected while proper security protection mechanisms were not present. As is known, dual-booting is enabled when multiple operating systems (two or more) are installed on a computer. At boot time, a boot loader program is activated thereby allowing the user to choose which operating system to boot. Dual-booting is found in many systems, such as those where the desired applications or other programmed functionality cannot all run on any one operating system (e.g., where some applications run on a Microsoft operating system and other applications run on a Linux operating system). Dual-booting also allows a user to migrate data prior to removing an old operating system.
What is needed, therefore, is a reliable mechanism for detecting whether a system has booted into an unprotected/compromised environment, so that a persisted clean file cache can be used across boots when appropriate.